The agreement concluded between Switzerland and the United States of America (USA) on August 29, 2013, which aimed to encourage the cooperation between the banks having an activity in Switzerland and the Department of Justice (DoJ)(1) has already generated a lot of discussions. In particular, several authors have written about the rights of employees and ex-employees of the said banks, namely in relation with their rights to data and personality protection(2). The purpose of this article is to provide an overview of the situation almost two years after the agreement was signed.
The situation before the US Program
The issue of the infringement of data protection rules regarding employees and ex-employees of banks having a registered seat in Switzerland appeared in 2008, when UBS transferred information regarding bank accounts of more than 250 clients to the DoJ. The transfer led to a public outcry, involving as much the highest political and judicial bodies, and initiated the long agony of the Swiss bank secrecy(3).
The same interrogations resurfaced when investigations were opened by the DoJ against several banks in 2010, while the UBS case had not yet been ruled upon by the Federal Supreme Court. It appeared that the entities concerned by the investigations had transferred to the American authorities, by fear of the sanctions they were exposed to, a profusion of information which had to do in particular with their employees or ex-employees.
If some high executives of these banks had indeed been involved in the decision-making process regarding US clients, it was not the case of all employees whose data was transferred. Some of them had only been copied in some e-mails or had received internal directives, but had not been in charge of determining the bank’s strategy regarding the acquisition or conservation of this “sensitive” category of clients.
It is only in 2012, when those transfers were revealed to the public, that employees learned, often only after having expressly questioned their employer, that their names and other personal information had been transmitted to the American authorities.(4)
In this context, the Federal Data Protection and Information Commissioner (FDPIC) issued recommendations for the banks in question in October 2012. According to these, the banks had to (i) grant to the concerned employees a right of access according to art. 8 of the Federal data protection Act (FDPA); (ii) inform in advance the employees and ex-employees regarding the scope and nature of the documents to be transmitted as well as the relevant period of time in order for them to be able to exercise their right to access and (iii) in case of an opposition, to balance the interests at hand. If it decided based on this balance of interests to still proceed with the data transfer, it had to inform the employee about his rights.(5)
What changed with the US Program
The purpose of the US Program is to encourage the banks to self-report themselves in order to negotiate a Non Prosecution Agreement (NPA), in exchange for payment of a hefty fine. The banks which felt concerned by the issue of undeclared accounts of US clients had the possibility to register under category 2 of the program (category 1 being that of the banks already under investigation, as seen above, whereas categories 3 and 4 are reserved to banks who considered that they were not concerned by this issue).
When registering for the category 2 of the Program (by filing a letter of intent with the DoJ before the end of 2013), the banks had to prove itself by handing over to the authorities all the data regarding the structure and management of foreign activities regarding US clients, the name and function of the persons responsible for these activities, the internal directives regarding the acquisition of those clients and the number of accounts linked with the USA which (i) existed on August 1, 2008; (ii) were opened between August 1, 2008 and February 28, 2009 or (iii) were opened after February 28, 2009, as well as the total amount of assets on these accounts (stage II.d.1).
After having handed over this information and in order to hope to obtain an NPA, it was necessary to transmit to the DoJ before July 31, 2014 all data regarding the accounts that had been closed during the period of reference, in particular information regarding (i) the maximal amount for each account, (ii) the number of persons or entities linked to the account having a relationship with the US, (iii) whether the account holder was a natural person or a company, (iv) whether it held US securities during this period, (v) the name and function of all employees and third parties involved in the management and monitoring of these accounts during this period and (vi) the transfer of funds to and from every of these accounts during this period (stage II.d.2, so-called “Leaver’s lists”).
Since this Program was likely to involve all the banks in the country and because the project of the “Lex USA”, which aimed at giving a legal basis for the cooperation of the banks with a foreign authority, was refused by the National Council (6) , the Federal Council chose to issue authorizations based on a “model decision”, freeing each bank from prosecution under art. 271 of the Criminal Code, which sanctions unlawful activities on behalf of a foreign state. These authorizations allow the banks to cooperate with the DoJ in the framework of the Program. However, the communication of information regarding the account holders, which is protected by the bank secrecy and must therefore be required by way of a mutual assistance procedure, remains prohibited.
Additionally, the Federal Council inserted a reminder in its authorization, stating that it only provides the banks with immunity from prosecution based on art. 271 CP but that it does not exempt them from respecting the other provisions of Swiss law, namely those on business and bank secrets, on data protection and on their duties as an employer. (7)
The FDPIC also published a note to the attention of the banks regarding the transmission of personal data to the American authorities (8), where he reminded the five principles to respect in this context. He namely specified that if the person concerned refused that his or her name be transferred, the bank must, in application of art. 13 FDPA, substantiate just cause in order to proceed with the transfer and, at the same time, comply with the conditions of art. 6 FDPA in order to transfer data to a country that does not guarantees adequate legal protection. It also added that if, after having weighed the interests at stake, the bank decided to transfer data against the will of the concerned person, he or she can file a claim based on the right to protection of personality pursuant to art. 15 FDPA.
At the same time, an agreement was struck between the Swiss banking employees association (ASEB), the business association of Swiss banks (AP Banks) and the Swiss banks association (ASB) on May 29, 2013 (9). This agreement contains the obligations of the banks in respect to data and personality protection of their employees and ex-employees. In particular, it states that they must respect the recommendations of the FDPIC and, if necessary, finance the legal costs of employees who are criminally prosecuted in the USA for actions carried out in the course of their professional activity. It also provides for the setting up of a fund for cases of hardship. Finally, it contains provisions on protection against discriminations and dismissals, it being specified that the fact that one has its name on the list of transferred data does not constitute a valid cause for termination.
According to art. 4 par. 1 FDPA, personal data may only be processed lawfully. Art. 6 par. 1 FDPA prohibits cross-border data transfers if the privacy of the data subjects would be seriously endangered thereby, in particular due to the absence of legislation that guarantees adequate protection. Exceptions to this principle are namely the consent of the person (par. 2 let. b) or the existence of an overriding public interest (par. 2 let. d). Finally, art. 13 par. 1 FDPA stipulates that a breach of privacy is unlawful unless it is justified by the consent of the injured party, by an overriding private or public interest or by law.
It is interesting to note that in a decision dated April 25, 2013 (10), rendered on an appeal filed by an employee of HSBC (who was put under investigation in 2010) against an ordinance of non-consideration from the Federal Prosecutor, the Complaints division of the Swiss Federal Criminal Court confirmed that the transmission of information to the American authorities could not be sanctioned under the criminal provisions of the data protection rules (consid. 5.1). Also, in a decision dated October 16, 2013 (11), the Labour Court of Geneva considered that the bank did not commit an unlawful breach of its employee’s personality rights (consid. 5).
Nevertheless, since the implementation of the US Progam, namely since the turmoil caused by its stage II.d.2, case law seems to have evolved toward greater protection of the employees’ rights. Indeed, the justification of the overriding public interest of the Swiss financial centre, which the banks tried to oppose to their employee’s claims, has recently been refused by the Courts. Notably, in its judgement dated December 12, 2014 (12), the appeal Court of the canton of Geneva noted that the FDPIC did recognize that the transmission of data could generally be of public interest in the context of the tax conflict between Switzerland and the USA, but that it did not state that this interest should always outweigh the others and that a balance of the interests at hand had to be made on a case by case basis (consid. 3.2.4). In the case at hand, the Court considered that the allegations of the bank according to which a lack of collaboration on its part would have a negative incidence on the Swiss financial centre were not substantiated by any concrete elements and that it had to be viewed as a mere private interest of the bank itself (consid. 3.2.4).
If such evolution towards a better balance of the employees’ rights should be welcomed, it must however be noted that the Courts which provisionally prohibited the transfer of data at the request of an employee still have to decide on the merits whether they maintain the prohibition or not. We must therefore hope that the position of the appeal Court mentioned above will be retained. Yet due to the fact that it is a case by case approach and that several cantons are concerned by such proceedings, there is a risk that the multiplication of decisions on this question could lead to many contradictions. Unfortunately, because of the principle of exhaustion of remedies, the Federal Supreme Court will probably not be asked rule on this question before 2016.
What to expect in the future?
From the point of view of the cantonal Courts, it is clear that the first judgement on the question of the prohibition of a data transfer in these circumstances will serve as a reference. Such decision will however be crucial for the Swiss financial centre, since if the absence of overriding public interest is confirmed, it will have great repercussions on the claims for damages of employees whose data has been transferred.
As for the possible consequences abroad of the decisions of the Swiss Courts, let’s remember that we do not yet know what will be the reaction of the DoJ, in particular if it will be satisfied with the fines cashed in and the information obtained or if it might launch a large scale offensive against bank employees, it being specified that the letter of the NPA does not exclude individual proceedings against them. However, since the DoJ will then have closed the dispute with the bank itself, it is not certain that it will still have an interest to pursue the employees individually, at least not the “small fish”. One more indication in this perspective is the result of the criminal proceedings against Raoul Weil, which ended in an acquittal. The USA will therefore presumably be a little more cautious in the future when evaluating the chances of success of an action against a bank employee.
It is certain that future nuisances for the employees whose personal data has been transferred cannot be excluded at the present time, since it is impossible to predict what the American authorities will do with the information obtained from the banks in Switzerland. The worst case scenario would of course be the one of a full cooperation between the various federal agencies (DoJ, IRS, USCIS), which would facilitate the exchange of sensitive information and prosecution against each individual, especially if he or she is on American soil. Furthermore, the fear of prosecution will last for several years for these employees, each trip thus being a substantial source of anxiety. The banks should therefore be careful to accomplish their duty of support if they wish to minimize the risks of having to defend claims for damages.
In conclusion, it is obvious that, almost two years after the signature of the agreement, there is considerable uncertainty about the US Program. Simultaneously, we must consider that it is now part of the daily life of the banking industry and of its employees, especially since FATCA (the US Foreign Account Tax Compliance Act) has been implemented in Switzerland and now regulates the exchange of information between Swiss banks and the American authorities. On the contrary, the fact that many questions remain unanswered, on one hand because there is no established case law and on the other hand because the intentions of the USA remain nebulous, indicates that the talks about the US Program are far from being closed.
(1) Joint Statement signed by the Swiss and American authorities and detail of the US Program, published by the DoJ on August 29, 2013.
(2) “Knacknüsse bei der Lieferung von Daten durch Schweizer Banken an die USA”, by Dr Tobias F. Rohner and Urs Furrer, published in ST/ECS 2013, p. 515 ff.; “La communication aux autorités américaines, par des banques, de données personnelles sur leurs employés: aspects de droit du travail”, by Prof. Gabriel Aubert, published in SZW/RSDA 2013, p. 40 ff.
(3) “Transmission par la FINMA de dossiers de clients aux Etats-Unis, le Tribunal fédéral met un point final à l’affaire“, by Lucia Gomez Richa, published on November 30, 2011 on the Website of the Centre for Banking and Financial Law of the University of Geneva; ATF 137 II 431 of July 15, 2011.
(4) Judgements of the Federal Supreme Court 4A_406/2014 and 4A_408/2014, January 12, 2015, consid. A.
(5) Press release from the FDPIC dated December 16, 2012.
(6) Official Bulletin – National Council – June 19, 2013: 13.054 Declaration of the National Council. Resolution of the tax dispute between Swiss banks and the USA.
(7) Decision model of the Federal Council and explanatory note published by the Federal Department of Finance (FDF).
(8) Note of the FDPIC to the banks regarding the transmission of personal data to the American authorities, dated June 20, 2013.
(9) Agreement between the ASEB/AP/ASB dated May 29, 2013, published.
(10) Decision of the Federal Criminal Court dated April 25, 2013 (n° BB.2012.133).
(11) Decision of the Labour Court of Geneva dated October 16, 2013, published in JAR 2014 p. 410.
(12) Judgement of the Court of appeal of Geneva dated December 12, 2014 (n° ACJC/1541/2014).
(13) Non-Prosecution Agreement signed with BSI on March 25, 2015, published by the DoJ.